You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment, LoopBack uses the builtin "crypto" modules in several place. When building a browser bundle, the crypto module adds whopping 650kb of code (unminified). We should review the usages of "crypto" module and replace them with a smaller implementation like sha.js and randombytes where possible.
This may be a breaking change.
A (partial) list of places to fix:
User.generateVerificationToken uses crypto.randomBytes. Proposal: use randombytes module instead.
Change.hash uses crypto.createHash. Defaults to sha1, but allows the user to provide a custom value. Proposal: remove the config option, always use require('sha.js/sha1') instead. Users should override the whole Change.hash method if they want to use a different algorithm. BREAKING CHANGE
Application generateKey uses crypto.createRandomBytes and crypto.createHmac. Proposal: either disable these methods in the browser or use a lightweight js-only implementation like hmac when running in the browser.
AccessToken.createAccessTokenId uses uid2 which uses crypto.pseudoRandomBytes.
*Proposal: use randombytes module instead. Consider creating a different AccessToken model for the browser, since it's rather unusual to create new AccessTokens in the browser client.
User.hasPassword and User.hashPassword is using bcryptjs that needs crypto. See User passwords in the browser #1249 for the relevant discussion.
remote connector uses request that internally depends on crypto.
Note: crypto-browserify provides stream-based interface in many places where a plain string/buffer interface would be sufficient. The stream-based interface adds another 55kb via readable-stream and 43kb via browserify buffer. When picking a replacement for the crypto module, we should prefer low-level libraries without stream interface in order to keep the bundle size low.
In case we can't make the breaking change in Change.hash, then we can at least try to use directly create-hash instead of crypto.createHash, it should decrease the bundle size too.
At the moment, LoopBack uses the builtin "crypto" modules in several place. When building a browser bundle, the crypto module adds whopping 650kb of code (unminified). We should review the usages of "crypto" module and replace them with a smaller implementation like sha.js and randombytes where possible.
This may be a breaking change.
A (partial) list of places to fix:
User.generateVerificationTokenusescrypto.randomBytes.Proposal: use randombytes module instead.
Change.hashusescrypto.createHash. Defaults tosha1, but allows the user to provide a custom value.Proposal: remove the config option, always use
require('sha.js/sha1')instead. Users should override the wholeChange.hashmethod if they want to use a different algorithm.BREAKING CHANGE
Application generateKeyusescrypto.createRandomBytesandcrypto.createHmac.Proposal: either disable these methods in the browser or use a lightweight js-only implementation like hmac when running in the browser.
AccessToken.createAccessTokenIdusesuid2which usescrypto.pseudoRandomBytes.*Proposal: use randombytes module instead. Consider creating a different AccessToken model for the browser, since it's rather unusual to create new AccessTokens in the browser client.
User.hasPasswordandUser.hashPasswordis usingbcryptjsthat needscrypto. See User passwords in the browser #1249 for the relevant discussion.Note: crypto-browserify provides stream-based interface in many places where a plain string/buffer interface would be sufficient. The stream-based interface adds another 55kb via readable-stream and 43kb via browserify buffer. When picking a replacement for the crypto module, we should prefer low-level libraries without stream interface in order to keep the bundle size low.
In case we can't make the breaking change in
Change.hash, then we can at least try to use directly create-hash instead ofcrypto.createHash, it should decrease the bundle size too.